The Ultimate Joomla Security Guide – Step by Step (2019)

If your Joomla website has ever been hacked, you’ll surely take website security very serious, because of the pain you went through during the time your website got hacked!

Securing your Joomla website against hackers and vulnerabilities would require you to invest money and more time just to have your Joomla website secured. Investing money to keep your Joomla website secured could be; running your website on a managed hosting plan which is more expensive and secured than shared hosting. It could also be; paying a cyber security expert to secure it for you. This would really cost you enough money to do. There are other things that would cost you money, if you really want to keep your website clean.

There’s one thing we’d like you to note; Joomla security is beyond installing Joomla and also installing the best Joomla security extensions to help you do the job, you have your role to play! Joomla security is about giving your Joomla website the best security practices, but, it’s not all about Joomla extensions. Picking a secured web hosting provider for your Joomla website, using strong password, not giving out your administrative login details, etc, are some of the things you should do to keep your Joomla website secured. Like I said, it isn’t all about security extensions in Joomla!

This JovialGuide is an ultimate Joomla security guide that would show you how to and the things you should do to have your Joomla website secured. Never forget that no website is flawless (without vulnerabilities). It is either the vulnerability hasn’t been discovered yet, or, has been discovered but no one has any idea of how it could be exploited, or, they just choose to not exploit the vulnerabilities!

Is Joomla Secure?

If there’s any security question about Joomla that comes to your mind, it’s how secure Joomla is! Joomla is secured and there’s no doubt about that, not because of the availability of its security extensions, but, because it was built to be secure. It’s a very secure Content Management System (CMS), this doesn’t mean that it has no security flaws, it has! The most important thing you should do is to give your Joomla website the best Joomla security practices.

Joomla Security Issues

Every website has it own security issues, whether it’s a CMS like WordPress or any kind of website written from scratch, they all have their own security issues, not just Joomla alone! It is very true that Joomla is a pretty secured Content Management System, but it has vulnerabilities like every other Content Management System. Most of Joomla’s security problems are remote issues. Weak administrative password is an example of Joomla security issues which we’ll also see (and many others) in this JovialGuide.

What Happens if my Joomla Website Gets Hacked?

You don’t have to be told what would happen if your Joomla website gets hacked! You should know that you may loose your Joomla website, get defaced, get destroyed, etc. We always recommend you give your Joomla website the best security practices, to avoid stories that touches the heart! Just like when someone breaks into a house to steal. They break in to steal and destroy, so, you don’t have to wonder what would happen if your Joomla website gets hacked!

Best Joomla Security Extensions

There are dozens of security extensions created specially for Joomla websites. These security extensions help you secure, provide report on the most recent attacks, etc, in your Joomla website. Joomla security extensions don’t just provide reports on the most recent, blocked or failed attempts, but they also help you secure your Joomla website!

Here are some of the Joomla security extensions you should use:

  • jSecure
  • jDefender
  • jHackGuard

Best Joomla Backup Extensions

The best Joomla backup extensions are also available, both free and paid versions. These Joomla backup extensions enable you make backup of your Joomla website in case anything happens. Anything like; Joomla website gets hacked, poor web hosting service, etc. The backup of a website is used to restore a website when anything happens to the website on a live webserver. There are many backup extensions for Joomla, in this JovialGuide, we are listing just 4 of them. These Joomla backup extensions are:

  • Akeeba Backup
  • LazyDbBackup
  • xCloner
  • Easy Joomla Backup – EJB
  • Etc

1. Backup Your Joomla Website Regularly

What happens when you loose your website to hackers? How do you restore it? There’s absolutely no way of getting your Joomla website back without the help of your website backup. Backup helps you restore your website if it gets hacked or you suddenly loose your website for any reason.

We always advice regular backup of your Joomla website to avoid stories that touches!

What else do hackers do to one’s website when they get access to it, if not to steal, destroy, etc. You could easily restore your website if you made a backup of it.

Website backups are done in case anything happens to your website. Backups aren’t done with any certain thought/mind that you are surely going to loose your website. But, it’s done in case anything happens to your website.

What happens if you didn’t make any backup of your Joomla website? Forget it, your Joomla website is gone for life! Do well to always backup your Joomla website regularly in case anything happens to your website.

You don’t have to worry about backing up your Joomla website/database regularly if your website is on a managed web hosting server. Backups are done regularly on your behalf by your web hosting technical experts.

2. Make Use of Strong Password

Your Joomla website becomes pretty easy to hack if you use weak password for your administrative account. Most of the successful hacking attempts in Joomla, are as a result of the use of weak passwords. Many people use their names, date of birth, pet name, etc, as their administrative password, which allows their Joomla website to be hacked easily (using trial and error method, brute force method, guessing method, etc). To harden your Joomla website, we highly recommend you use strong password for your administrative account!

3. Keep Joomla up to Date (Extensions and Templates)

You already know that anything that is outdated is no more in use. Any software that has an updated version means that there were bugs found in the previous version, and the bugs that were discovered, has been patched, and a new version of the software is out!

You don’t have to be told or reminded to update all of your Joomla core files (core files, I mean Joomla templates, Joomla extensions and Joomla software itself), up to date. If new versions of them has been released, it means that bugs were found in the previous version.

Your Joomla templates, extensions and Joomla software itself, should be up to the latest version. It helps your website have an excellent performance. Many of the problems you encounter aren’t from your web hosting provider, a good number of them are from you, because you think that finding time to update your Joomla core files (template, extensions and Joomla software itself) to the latest version would take your time, and after all, isn’t necessary! You lied to yourself, because they are absolutely necessary for your website security! Except you are thinking of leaving your Joomla website open to vulnerabilities.

A new version of any Joomla core file have security patches and can’t be easily hacked, because bugs are yet to be found. Don’t forget that nothing has absolute security, nothing’s absolutely secure!

Running the latest version of all Joomla core files make your website less vulnerable to hacking attacks.

You don’t have to worry about updating your Joomla core files regularly if your website is running on a managed hosting plan. Everything’s done by your web hosting technical experts.

4. Stay Away From Paid Extensions or Templates Offered for Free

This is one of the most common method attackers use in gaining access to your website unexpectedly. They Inject malicious code into the premium template or extension you are receiving from them for free. And when installed and activated, they automatically have remote control over your Joomla website.

The next thing that comes into your mind is your web hosting provider. You’d say; “they have started again, they aren’t trusted and their webserver isn’t secure enough to protect websites from minor hacking attempts”. And finally, you’d say; “hey, I’m leaving, your hosting company isn’t secure!” when you actually are the one that caused it!

Premium templates and extensions offered for free aren’t always offered just for free, they use it in taking control of your website, while others use it in destroying or defacing your website.

Why would someone purchase an extension or a template and then offer it for free without anything in exchange? Something must be behind it!

You don’t have to be told now to stop using premium templates and extensions that are offered free on your Joomla website. It’s pretty risky!

5. Stay Away from Poorly Coded Extensions and Templates

Running Joomla templates or extensions that are poorly coded by a beginner is very risky.

Poorly written extensions and templates could cause different serious harm to your Joomla website, some of them could destroy your website, deface your website or even overwrite the important files that make up your Joomla website.

Whether it is a template or extension that is coded by an unexperienced person, or that is badly coded, isn’t recommended. They could cause serious harm to your website or leave them open to different web application vulnerabilities/attacks. So, stay away from them!

6. Restrict User Previlage When Uploading Files

This should be considered serious if you allow attachment/file upload in the comments section or you run a forum in Joomla that allow files/attachments upload. This should be watched closely!

Attachments could be uploaded into website’s webserver which could be harmful to your website. These files, when uploaded into the webserver, gives the attacker the privilege to gain full access to your website. This could result in stealing important contents from your webserver, deleting and defacing the most important pages (for example the index.php file) of your Joomla website.

Some of these scripts render your webserver and website weak, such that it can’t withstand further hacking attempts. While some of these scripts gives the attacker the privilege to remotely control and gain full access to your website. While some simply reset/change your website password.

This script we have been talking about is called a shell.

We recommend that you make use of the .htaccess file available in your File Manager of your web hosting account to either limit file upload by size and by type, or, totally block file/attachment uploads.

7. Restrict/Limit Access by IP Address to the Administrative Directory of your Joomla Website Using .htaccess

Limiting access to the sensitive administrative directory of your Joomla website is one of the steps you should quickly take to harden your Joomla website against hackers. We call it the sensitive administrative directory in your Joomla website because anyone that gets access into it, is actually in the right position to destroy your Joomla website in just a second! Since it’s a very sensitive directory in your Joomla website, it has to be secured against hackers!

It’s annoying when someone we didn’t permit accesses our privacy.

Restricting access works with the help of an IP address (Internet Protocol address) that is written together with a code snippet which is added to a configuration .htaccess file. Any IP address that isn’t in the code snippet added to the .htaccess file, won’t be allowed into the administrative directory of your Joomla website. This is more like a magic but it isn’t!

7.1. How to Limit Access by IP to the Administrative Directory of Joomla Using .htaccess

Blocking/restricting access to the administrative directory of your Joomla website, won’t only harden your Joomla website but scare hackers from your Joomla website, since the security is tight!

Would you like to restrict access by IP to the administrative directory of your Joomla website? Do the right thing by blocking unauthorized access!

One of the tutorials we wrote, teaches you how to restrict access by IP to the administrative directory of Joomla using .htaccess

8. Be Careful When Choosing a Joomla Web Hosting Provider

A secured Joomla web hosting provider is the most important thing you should consider when choosing a web hosting service provider for your Joomla website. Meaning that your Joomla web hosting provider contributes (greatly) to most of the successful hacking attempts that took your Joomla website down (if your website has ever been hacked). Running your Joomla website on an improperly configured webserver would expose your website to vulnerabilities, making them absolutely easy for hackers to get into your Joomla website.

Shared hosting aren’t as secure as you think! When you host your Joomla website on a shared hosting server, it is hosted on an open or shared server/environment as every other website. Meaning that; when any website on the same shared hosting server (as your website) is attacked, it may affect your Joomla website, make your website become at risk and your website may be attacked also!

On like managed hosting, your Joomla website is hosted on a properly configured webserver which carries additional security. On a managed hosting, you don’t share resources with any website, whether it is hosted on a managed hosting server (of that same hosting provider as your website) or not!

There’s something that is great about a shared hosting server, the price! The cost of hosting a Joomla website on a shared server is affordable! Shared hosting is the cheapest for any body and it’s recommended or suitable for small websites (with low traffic). One bad thing about shared hosting server is that; it’s not all that secured.

A managed hosting server is absolutely secure, and it can accomodate any number of traffic (depending on the managed hosting plan you choose for your Joomla website). It’s recommended or suitable for large website (with large amount of traffic). The bad side of hosting your Joomla website on a managed hosting server is that; it’s pretty expensive!

Shared hosting plans are cheap and less secured while managed hosting plans are absolutely secure, but pretty expensive. Everything has good and bad sides!

Some web hosting servers are improperly configured, they can’t withstand minor hacking attempts. This is the reason we always recommend you host all of your Joomla websites with SiteGround, because of their excellent web hosting services.

SiteGround invests a lot of money to maintain their webserver. Their excellent web hosting services has rewarded them to be an official web hosting provider for WordPress. For a complete list of other hosting providers officially recommended for WordPress, take a look at the list of the web hosting providers officially recommended for WordPress (recommended by

Since there are hundreds of Joomla web hosting service providers in existence, we wrote a JovialGuide that would help you choose the best Joomla web hosting provider for your website. It will show you the top 10 best Joomla web hosting providers. We also wrote a JovialGuide that gives you top 5 best reasons you should transfer or host your next Joomla website with SiteGround

8. Protect Your Joomla Website During Installation

Protecting your Joomla website during installation, happens to be what you should consider very serious, but you don’t! You may not know how vulnerable your Joomla website is because of poor configuration during installation of Joomla.

During the installation processes, you are always asked to choose a super user password, username, enter Email address, database username, database password, etc. At this time, you’d like to choose a very simple login details that would be easy for you to remember. These simple login details you chose, exposes your website to simple website attacks. For example: brute force attack. We do these things without being security conscious!

These simple and easy to remember login details we chose during installation could be changed by you at anytime. No one has the knowledge of the time hackers would decide to visit your website. So, it’s risky!

9.1. How to Protect Your Joomla Website During Installation

Protecting your Joomla website during installation is pretty simple. We have written a JovialGuide that explains everything about your Joomla website during installation. It’d teach you how to secure your Joomla website during installation

10. Enable Two Factor Authentication (2FA)

Two Factor Authentication is one of the best Joomla security practices every website owner should implement to keep their Joomla websites safe. The use of 2FA hardens your Joomla website in that, anyone that tries to login to your Joomla website (with the correct details), will have to verify identity, by having to enter the code sent to the Email address/phone number associated with the username. You can see that this is really a long process. The attacker would always find it pretty difficult to break into your Joomla website.

When enabling Two Factor Authentication (2FA), the Email address or phone number of the administrator is always required for verification. Meaning that; you’ll have to enter the Email address you’d like the verification code to be sent to. This is an Electronic mail account that you have access to!

We also wrote;

Conclusion on – the Ultimate Joomla Security Guide Step by Step (2019)

This ultimate JovialGuide on Joomla security has shown you the things you need to do to properly secure your Joomla website against hackers.

Website security is a topic no one jokes about. Being hacked costs a lot! A good number of hackers hacker for money while some hack just to steal from your website. If you have ever been hacked, you’d understand the pains of being hacked!

We have this Joomla security tutorial to guide you to proper Joomla website security because poor or weak website security is the biggest problem and fear of website owners.

We mentioned earlier that your web hosting provider could be the reason your Joomla website keeps getting hacked. This is absolutely true! Poorly configured webserver exposes your Joomla website to vulnerabilities of different types. This is the reason we recommend you use SiteGround, for all of your Joomla web hosting services because their webserver is configured for proper website security.

Did you know that restricting access to the administrative directory of Joomla (by IP address) hardens your Joomla website, making it pretty hard for hackers to hack into it? Oh! This actually works like magic. Any one whose IP address isn’t granted access to the administrative directory of your Joomla website will be denied access. This is very simple!

There are other Joomla tutorials we covered in the Joomla section of this website (JovialGuide), see our Joomla tutorials.


We provide comprehensive tutorials. Reach us on Facebook via JovialGuide.

2 thoughts on “The Ultimate Joomla Security Guide – Step by Step (2019)

  • April 22, 2019 at 1:08 pm

    You cited some security plugins that are not good at all. There are many others that have tons of features and have been proved against multiple types of hacker attacks: Akeeba, Securitycheck Pro…

    • April 22, 2019 at 3:37 pm

      Hello Susan,

      Thank you for stopping by.

      We only listed just a few of them because this post isn’t the official post on the best Joomla security extensions.

      Thank you once again for stopping by.


Leave a Reply

Your email address will not be published. Required fields are marked *